Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Combatting Operational Risk through
Regulatory Technology
Kateri Ganpat and Narissa Harrypersad1
Abstract
Global interest in regulatory technology, or RegTech, has grown rapidly within recent years following more
demanding reporting requirements spurred by the Global Financial Crisis. In response, institutions and
regulators alike have explored ways in which technological advancements can be used to their advantage,
particularly in improving risk monitoring frameworks and counteracting operational risk associated with
regulatory compliance and evolving financial innovation. In an effort to take stock of trends in the global
regulatory sphere, this paper explores the development of RegTech internationally and analyses the
opportunities and challenges of integrating advanced RegTech solutions to combat operational risk in
Trinidad and Tobago.
JEL Classification Numbers: G21, G28, G32, O32, O33.
Keywords: compliance, financial regulation, fintech, innovation, regtech, operational risk.
September 2018
1 The authors are research economists at the Central Bank of Trinidad and Tobago. The views expressed in the paper are those of the authors and not necessarily the views of the Central Bank.
1.0 INTRODUCTION 1
1.0 INTRODUCTION
The number, frequency and complexity of regulatory demands for financial institutions have multiplied in
the aftermath of the Global Financial Crisis (GFC). As such, institutions have been exploring cost-effective
solutions to ease the burden of supervisory requirements and minimize operational risk stemming from
non-compliance2. At the same time, the financial sector has embraced the ongoing technological revolution
which has facilitated the integration of financial technology (FinTech) into business processes. While
potential benefits of FinTech are many, it has introduced new avenues for operational risk in the financial
system due to its evolution in the digital space.
Regulatory technology (RegTech) is a solution which capitalizes on the innovation driving FinTech and
applies it to an organization’s risk monitoring and compliance functions to improve the efficiency with which
it executes its risk management framework. RegTech can be used by financial institutions to advance the
automation and streamlining of data collection and analysis, which feeds into the production of analytical or
actionable reports. Surveys conducted in 2018 list the top operational risk challenges of the global financial
industry as the volume and pace of regulatory change and the ability to implement said changes (English
and Hammond 2018). Further, information technology (IT) disruptions (from cyber-attacks or outdated
systems), other forms of cyber risk, as well as model risk, rank alongside regulation as major operational
risk concerns in the short term (Marlin 2018). RegTech solutions may serve as useful tools to address
these issues within financial institutions.
Likewise, supervisors can harness the power of RegTech to improve the speed and quality of analytics, as
well as address the gaps in supervision due to the influx of new data and information required by the
changing financial and regulatory environment. RegTech supports communication across an independent,
digitized platform thus improving regulatory reporting and offering regulators the ability to directly access
institution data. In this way, supervisors will be able to conduct an unbiased analysis of company data and
flag issues in real-time, thus reducing resolution time for identified threats to financial stability through
2 Operational risk is defined as the risk of losses resulting from deficiencies in internal processes, people and systems, or from external factors and events (Basel Committee on Banking Supervision 2011). Compliance risk can form part of an organization’s operational risk function and is defined as “the risk of legal or regulatory sanctions, material financial loss, or loss to reputation…as a result of its failure to comply with laws, regulations, rules, related self-regulatory organisation standards, and codes of conduct applicable to its activities” (Basel Committee on Banking Supervision 2005).
2.0 BACKGROUND 2
operational risk. The wealth of data available can also be simplified and structured in user-friendly
interfaces to inform forward-looking policy decision-making (Arner, Barberis and Buckley 2016).
This paper aims to introduce the concept of RegTech, in particular its potential contribution to domestic
operational risk management from an institutional as well as a supervisory3 perspective. While some
aspects of the institutional assessment can be generalized for the financial industry as a whole, the paper
focuses on the banking system given their size in the domestic financial system4. The selection of case
studies which demonstrate the use of RegTech by banks or supervisory bodies is fairly limited. In this
regard, Section 2 provides a background of RegTech development; Section 3 explores the evolution of the
local regulatory and reporting framework and the possible repercussions faced by banks; Section 4
discusses considerations surrounding the implementation of advanced RegTech solutions on domestic
activities; and Section 5 concludes.
2.0 BACKGROUND
2.1 Development of RegTech
The GFC revealed weaknesses in the regulation of the financial system and the avenues through which
financial companies were able to exploit loopholes in existing rules and contribute to the build-up of
systemic risk5. In response, international standard-setting bodies and market supervisors have issued
guidance and legislation that have materially changed the way in which financial institutions design and
implement their risk management frameworks. By 2015, the total number of regulatory changes since the
GFC, including publications and announcements, had increased by an estimated 492 per cent (Hugé,
Duprel and Pescatore 2017). Among other things, the new rules were intended to mitigate the risks of
complex products that developed pre-crisis, which were heightened by the expansion of cross-border
financial conglomerates in the absence of consolidated supervision. In order to improve transparency and
3 RegTech utilized in the supervisory capacity is also referred to as “SupTech”. 4 The consolidated banking system of Trinidad and Tobago accounted for approximately 46 per cent of financial system assets as of December 2017 (CBTT 2018). 5 Some bank holding companies took advantage of regulatory inconsistencies between banks and their non-banking subsidiaries including: the differences in capital requirements; recognition of and provision for loan losses; as well as consumer compliance regulations that ensured borrower creditworthiness (Demyanyk and Loutskina 2014).
2.0 BACKGROUND 3
aid in monitoring the accumulation of risk in the macro-financial environment, regulators have exponentially
increased their demands with respect to the frequency and granularity of institutional data.
These developments have proven to be a challenge for both regulators and financial institutions whose IT
systems have not been well-equipped to handle the volume and complexity of regulatory changes in the
rapidly evolving financial environment. Legacy systems that have been developed pre-crisis are
characteristically costly to maintain, difficult and expensive to modify, prone to crashes and susceptible to
cyber-attacks (Armstrong 2017). Given the pace and scale of regulatory reform, increased time, managerial
attention and human and capital resources are therefore necessary to ensure institutions are not at risk of
substantial fines for breaching regulation and failing to implement adequate controls. Given potentially
compounding operational expenses, the need for a more sustainable, cost-efficient solution is evident.
More recently, the financial system has benefitted from innovations such as artificial intelligence, distributed
ledger technology, mobile access and cryptography. These and other technologies have enabled the
digitization and automation of new and traditional products and services in the financial sector, that have
lowered transaction costs, supported financial inclusion, increased competition and improved the efficiency
of banking processes (Basel Committee on Banking Supervision 2018). However, the spread of FinTech
companies and the transformation of financial services have presented new risks including cyber risks,
interconnectedness and concentration risk (He, et al. 2017, Basel Committee on Banking Supervision
2018). Three major forms of cyber risk exist – business disruptions, fraud and data security breaches.
While business disruptions and fraud can lead to direct financial losses, all forms can affect an institution’s
bottom line through its impact on reputation and associated legal costs (Bouveret 2018).
The reluctance to upgrade functionally inefficient systems has placed some firms at a competitive
disadvantage as they are not able to maximize the benefits of technological innovation being adopted by
peers in the industry. Regulators are also challenged with the pressure of upgrading IT infrastructure in
order to process the large and complex datasets being requested of the institutions, as well as the unique
digital data introduced by these FinTech products and services. RegTech therefore has emerged as an
opportunity for regulators and financial institutions to overcome these challenges by addressing operational
risks related to veracity of data and information; antiquated processing systems; business disruptions;
information security breaches; and overall regulatory compliance.
2.0 BACKGROUND 4
2.2 RegTech Solutions Offered by Third-party Service Providers
In recent years, there has been an acceleration in the growth of companies that offer innovative solutions
for compliance and regulation as the popularity and application of FinTech has expanded. These include
small start-ups as well as globally recognized consulting companies which tend to specialize by: solution(s)
offered; sector in the financial system; and institution- or regulator-focus. In the past, new regulation
typically resulted in the costly, time-consuming development of an appendage to legacy systems, which
had to be adapted to remain in sync with existing IT infrastructure (Hugé 2018). These traditional systems
currently dominate the compliance space. RegTech firms can provide independent, agile alternatives that
are able to keep up with the pace of regulatory changes while reducing physical and operational costs of
amendments.
The solutions offered by RegTech companies, as well as the various technologies supporting their
implementation, have been categorized in Figure 1.
Figure 1: RegTech Solutions and Enabling Technologies
Source: Categorization based on Hugé, Duprel and Pescatore (2017).
2.0 BACKGROUND 5
Table 1 provides a brief overview of the specific innovations that underlie RegTech solutions.
Table 1: Enabling Technologies
TECHNOLOGY DESCRIPTION
Cloud Computing/
Cloud-based Services/
Hosted Solutions
Cloud computing, also called cloud based services or hosted
solutions, utilizes remote servers hosted over the internet to
maintain, process, share and back-up stored data.
Application Program
Interface (API)
API refers to the suite of rules and standards that define how
different software communicate and interact with each other.
Big Data Analytics
Big data analytics refers to the real-time organization and
mining of large volumes of structured and unstructured data
to unearth correlations and trends.
Artificial Intelligence
(AI)
AI is the science which utilizes computers to make
automated decisions, predictions and recommendations
informed by insight garnered through the analysis of big
data.
Machine Learning
Machine learning is the subset of AI that enables computers
to continuously analyse and learn from trends observed in
reported data, without the need for specific programming to
define the new learning.
Distributed Ledger
Technology (DLT)
DLT refers to the platform that allows a database to be
replicated, shared and synchronized across a network of
multiple parties, creating a permanent digital record of any
mutually-agreed upon transaction. The term DLT is often
used synonymously with blockchain, although the blockchain
is one type of distributed ledger.
Biometric
Technologies
Biometric technologies facilitate the automated
authentication of a client by validating distinctive
characteristics that have previously been captured and
stored digitally.
Source: (He, et al. 2017, Institute of International Finance 2015, Mills, et al. 2016, Toronto Centre 2017).
2.0 BACKGROUND 6
Accordingly, the issues that can be addressed by RegTech solutions are described as follows:
2.2.1 Regulatory Reporting
The growing volume and granularity of data expected by licensees, and the transference and
storage of large files have become an issue. Problems manifest particularly when data is
requested and collected in a form that mimics paper reports, despite being shared
electronically (Institute of International Finance 2016). Manual completion and processing of
regulatory returns is more likely to be time consuming and prone to human error.
Regulatory reporting solutions focus on the automation of data sharing through the use of API
and cloud computing, where regulators can access data and information in a structured,
simplified format on a centralized server. This could assist the audit process by allowing the
review of real-time transaction data to enhance monitoring and auditing. In contrast, DLT offers
a decentralized solution where data and information can be shared quickly and accurately on a
secure blockchain. Both innovations organize data in a format that enables the application of
big data analytics to produce standard and ad hoc reports as desired by the regulator. This
process can reduce the overall costs involved in sharing information with the regulator, thus
increasing efficiency and reducing the cost of compliance.
2.2.2 Risk Management
Post-GFC regulation such as Basel III stipulates capital and liquidity requirements that can be
estimated by standardized methods or internal modelling. Stress testing and scenario
analysis6, expected loss provisioning7 as well as other types of risk modelling depend on large
amounts of aggregated risk data (both historical and forward-looking) to understand and
improve forecasts of future threats. Additionally, more stringent requirements in place for
Global Systemically Important Banks underscore the need for effective risk data aggregation
and reporting (Basel Committee on Banking Supervision 2013).
Risk management solutions enable the automation and simplification of risk data in a well-
organized database to compute, inter alia, current exposure levels, capital, asset quality and
6 As expected under Pillar II of the Basel III capital requirements. 7 As defined in the International Accounting Standard Board’s IFRS 9 Financial Instruments requirements.
2.0 BACKGROUND 7
liquidity ratios. AI and machine learning can be utilized to detect and assess risks of non-
compliance to identify threats in advance and encourage corrective action. In particular,
modelling components can hinge on big data analytics by applying intense computing power
to the data available.
2.2.3 Transaction Monitoring
Know your customer (KYC) regulations refer to the set of rules that require financial institutions
to collect and analyse customer or counterparty data to aid in the detection and prevention of,
inter alia, fraud, money laundering and terrorism financing. KYC processes should
continuously monitor regular transactions so that suspicious activity will be flagged, as well as
assess the level of risk posed by the counterparty through exposures to known individuals (for
example, politically exposed persons).
The decentralized database created by DLT makes KYC processes more efficient by storing
immutable transaction data that can be updated by institutional members of the blockchain,
thus establishing a permanent financial record. AI and machine learning can be applied to
this transactional data to interpret patterns in customer behaviour and flag, prevent or report
suspected illegal activity in real time. Reporting this information forms a key component of
compliance with Anti-Money Laundering (AML) and Combatting the Financing of Terrorism
(CFT) regulations.
2.2.4 Identity Management and Control
Counterparty due diligence and KYC tasks, as required by AML/CFT regulations, can be
manual and repetitive in nature and therefore not efficient or economical. The issue has come
to the fore in light of correspondent banking relationships as institutions could benefit from the
ability to leverage KYC performed by other organizations (Institute of International Finance
2016).
Identity management and control tools can hinge off of DLT by storing all KYC information in a
secure database, creating a digital identity for a customer or counterparty which can be
accessed in a timely and cost-efficient manner for identity checks. By storing due diligence
data in a decentralized location, financial institutions that have agreed to participate in the
blockchain can immediately access and transparently update KYC data on shared customers
2.0 BACKGROUND 8
and counterparties. Biometric technologies can also support blockchain identity control by
enabling digital identification through techniques such as fingerprint scanning and facial
recognition. Further, AI, machine learning and big data analytics can be applied to analyse
the existing database and produce ad hoc reports on specific customers or type of customer by
risk exposure to aid the risk management function.
2.2.5 Compliance
The compliance function involves regulatory watches which keep track of relevant upcoming
regulation; compliance project management which defines the tasks and resources necessary
to comply with new regulation within a stipulated timeline; regular compliance health checks;
and cyber security and due diligence (Hugé, Duprel and Pescatore 2017). These tasks can
become very complex as they require input and coordination of several areas of an
organisation.
Compliance solutions offer improved, real-time regulatory watch based on AI which automates
the interpretation of regulation. This aids in continuous compliance health check and makes it
easier for institutions to keep up with the pace of regulatory changes.
2.0 BACKGROUND 9
2.3 Growth of RegTech Internationally
While some organisations have long applied a rudimentary form of RegTech in their business, attention
was traditionally placed on the digitization of the regulatory reporting and compliance functions (Arner,
Barberis and Buckley 2016). It has been estimated that over 300 RegTech companies were established up
to 2016 but Figures 2 and 3 show that there has been tremendous growth since then, particularly in non-
traditional RegTech solutions provided by start-up companies (Alvarez & Marsal and Burnmark 2018).
Figure 2: Share of RegTech Startups by Solution8, 2017
Figure 3: Growth in Number of RegTech Startups by Solution, 2015 - 2017
Source: (Alvarez & Marsal and Burnmark 2018).
This reflects the objective of newer RegTech solutions to move from a concept of ‘big data’ to ‘smart data’,
by leveraging modern technologies (Ivanoski, et al. 2017). There appears to be strong global interest in
harnessing RegTech in the short term as evidenced by the 102 per cent growth9 in funding to the sector for
the year ended March 2016 (Transatlantic Policy Working Group Fintech 2017). Additionally, the 2016
Global CEO Outlook Study (KPMG International 2016) stated that CEOs believed economic conditions and
8 Regulatory compliance refers to “offerings that help banks in gathering regulatory intelligence, mapping policies, compliance governance and automated data sharing with regulatory authorities” and financial crime refers to “offerings that help banks monitor financial transactions in real-time to detect fraud, market abuse, money-laundering or terrorist financing activities” (Alvarez & Marsal and Burnmark 2018). These are comparable to this paper’s categorizations of Regulatory Reporting and Transaction Monitoring, respectively. 9 This represents investments of US$238 million across 34 deals.
Regulatory Compliance
33%
Risk Manage-
ment 25%
Financial Crime 10%
Identity Manage-
ment 24%
Compliance Support
8%
39.3
26.1 27.6
58.5
68.8
0.0
10.0
20.0
30.0
40.0
50.0
60.0
70.0
Gro
wth
, per
cen
t
Reg
ula
tory
Co
mp
lian
ce
Ris
k M
anag
emen
t
Fin
anci
al C
rim
e
Iden
tity
Man
agem
ent
Co
mp
lian
ce S
up
po
rt
2.0 BACKGROUND 10
technology would be the major contributors to the growth of their company. The Cost of Compliance 201810
survey report (English and Hammond 2018) supported this view by adding that 61 per cent of firms
surveyed anticipated an increase in their compliance budgets for 201811 to address, inter alia, investment in
compliance monitoring tools and activities; automation of old systems to improve efficiency in data reporting
and analysis; outsourcing of specific services; and additional skilled and senior resources.
Despite this, adoption of RegTech solutions to date is still in its nascent stages due to a number of
limitations including institutions’ uncertainty over the regulatory stance and credibility of untested
technologies (Financial Conduct Authority 2016). As such, there has been the introduction of “regulatory
sandboxes” for RegTech and FinTech where institutions are encouraged to experiment with new innovative
technologies in a controlled environment. Regulatory sandboxes have been established in jurisdictions
such as the United Kingdom, Australia, Singapore, China and Hong Kong (Baxter 2016).
The attention placed on technological innovation in more developed countries is reflected in the global
distribution of RegTech firms at the end of March 2017 (Figure 4). Developing countries, such as those in
the Caribbean and the “rest of the world”, have been slower to adopt as advances in technology and its
application to the financial services sector have lagged behind.
Figure 4: Global RegTech Companies by Location, March 2017
Source: Illuminate Financial Management.
10 Thomson Reuters Regulatory Intelligence conducted its ninth annual cost of compliance survey in Q1 2018. Over 800 responses were received from members of the financial services industry, including asset management, insurance, banking and investment, from areas such as Asia, Australasia, Canada, Europe, Middle East, United Kingdom and the United States. 11 A mere 6 per cent expected costs to reduce.
US and Canada
33%
UK and Ireland
41%
Europe (excluding
UK) 17%
Rest of World
9%
2.0 BACKGROUND 11
2.4 SWOT Analysis of RegTech Solutions
RegTech solutions provide a range of opportunities for financial institutions and regulators. However, as
with any innovation, there are potential vulnerabilities. Table 1 presents the strengths, opportunities,
weaknesses and threats associated with RegTech.
Table 1 - SWOT Analysis
STRENGTHS WEAKNESSES
Reduce the cost of compliance in terms of
human resources and the avoidance of fines.
Cloud-based design facilitates easy, quick and
secure sharing of data.
Real-time insight through continuously
collecting and monitoring data.
Online presence increases vulnerability to
cyber-attacks.
Depending on the scenario, human judgement
may still be required to make appropriate
decisions.
OPPORTUNITIES THREATS
Improved KYC through improved customer
identification and authentication.
Greater efficiency for AML/CFT policy through
the use of AI to monitor vast amount of data.
Integrate regulatory reporting requirements and
fully automate reporting.
Facilitates compliance project management
through the use of tools which could aid in the
planning and tracking of upcoming regulations.
Improve risk data reporting capabilities.
Impact of cyber risk is potentially more
severe/widespread.
Misleading results if there is erroneously
inputted data.
Using RegTech solutions without fully
understanding the downsides can potentially
increase susceptibility to unknown/unidentified
risk.
Concentration risk if multiple organisations
utilize the same RegTech service provider.
Sources: (Bauguess 2017, Basel Committee on Banking Supervision 2018, Liebergen and Ekberg 2017, He, et al.
2017, Hugé, Duprel and Pescatore 2017, Arner, Barberis and Buckley 2016, Toronto Centre 2017).
3.0 LOCAL REGULATORY AND REPORTING FRAMEWORK 12
3.0 LOCAL REGULATORY AND REPORTING FRAMEWORK
3.1 The Central Bank’s Experience with Technology in Supervision
3.1.1 Data Collection and Processing
While the Central Bank of Trinidad and Tobago (the Central Bank) has not yet adopted any of the
advanced RegTech solutions discussed, the way in which it has utilized technology to facilitate banking
supervision has progressed over the years. Initially, the Central Bank relied solely on physical submissions
of regulatory forms from the financial institutions on a periodic basis, as mandated by the Financial
Institutions Act, 2008 (FIA). Upon receipt, data entry operators in the Financial Institutions Supervision
Department (FISD) and Research Department were responsible for entering the data onto a single
mainframe. There was no distributed computer system in place at the time and therefore, subsequent to
data input, the IT Department was responsible for centrally processing the data. They then generated
reports to be forwarded to relevant units or other departments.
The Central Bank began to embrace technological development and the use of personal computers was
adopted resulting in a change in operations. Data entry operators were now responsible for entering
information received from physical submissions into a Microsoft Excel template for further analysis. In
addition, Microsoft Access was utilized for the storage and review of relational data, for example, to
generate reports related to timeliness of submissions.
The reliance on Microsoft Excel however resulted in numerous data control errors. For example, multiple
versions of the same document would have existed after updates were made by one individual but not
communicated to all persons with access to the document. In addition, Microsoft Access was deficient in its
ability to easily generate time-series reports as it was limited to creating cross-sectional reports only. As
such, the benefits of having a centralised system for data warehousing which could also be used for time-
series analysis became increasingly evident. This led the Central Bank to consider available software which
could facilitate this process.
In 1994, coinciding with the revision of the regulatory forms, a decision was taken by the Central Bank to
utilize new software to assist in its data processing function. The Forecasting Analysis and Modeling
Environment (FAME) software was adopted in 1995 to automate some aspects of the process to a greater
3.0 LOCAL REGULATORY AND REPORTING FRAMEWORK 13
extent. However, while this system facilitated easier aggregation of data, the Central Bank still relied on
physical submissions by the financial institutions for some time.
At present, reporting institutions are required to submit hard (physical) and soft (using Microsoft Excel)
copies of relevant forms to the Statistics Department of the Central Bank. Completed soft copies are
encrypted and submitted via electronic mail. The Statistics Department is then tasked with the responsibility
of verifying the data received and uses the FAME software to facilitate this process. Although software
applications are utilized, it can still be a time-consuming and human resource intensive process since
persons are usually heavily involved with performing checks and balances on data that may have to be
addressed and resubmitted. Further, the deadline for submitting different regulatory may differ (for
example, 10, 15, or 20 working days after the end of the month) adding to the effort needed to keep track of
adherence to stipulated deadlines.
3.1.2 Monitoring Banks’ Compliance
In the past, the rules-based or compliance-based approach to supervision was applied and placed
emphasis strictly on breaches in compliance and the legal consequences for the institution. A more pro-
active approach to supervision has developed internationally which focuses also on the inherent risks within
an institution due to their financial positions, cross-border activities, business models and management
practices. The FISD applies this risk-based supervisory framework, comprising on-site examinations, off-
site monitoring and ad hoc analyses to assess the continued safety and soundness of licensees.
With respect to the banking system, that is, the commercial banks and non-banking financial institutions,
on-site examinations take the form of meetings with designated representatives. Several matters are
discussed, including: reports on institutional practices; progress with meeting governing standards;
performance of the institutions; and future plans of the institution. These are performed on a routine basis
whereas ad hoc analyses are unplanned interventions which may take place as and when required.
Off-site examinations depend heavily on the data aggregated by the Statistics Department. The FISD
peruses the data using Microsoft Excel to review trends and identify anomalies by comparing information
received with benchmarks. Further, the FISD is responsible for reviewing minutes of the Boards of
Directors of the banks to monitor governance practices as well as ensure they remain compliant by
upholding the mandates set out by the FIA. This process is inevitably human resource intensive since there
is no automated method for highlighting particular items that may trigger risk.
3.0 LOCAL REGULATORY AND REPORTING FRAMEWORK 14
While the primary focus of the FISD is micro-prudential supervision, that is, promoting the stability of each
of its licensees by assessing idiosyncratic risks, it is complemented by a macro-prudential approach.
Macro-prudential supervision aims to limit systemic risk within the financial system whereby stress
emanating from a component of the financial or real sector threatens the health of the financial system as a
whole, with negative feedback effects for the real economy. The macro-prudential analysis function lies
primarily within the Research Department which monitors vulnerabilities and risks to financial system
stability through routine analysis of financial soundness and early warning indicators, as well as internal
stress testing. This is performed in the context of developments within the financial or real sector, which are
actively monitored to determine the potential to trigger systemic risk.
3.2 Impact of New and Amended Standards on Banks’ Cost of Compliance
Regulation in the local financial landscape is driven by standards set by international bodies. For example,
the Central Bank is heavily guided by changes in the Basel Framework as outlined by the Basel Committee
on Banking Supervision (BCBS) as well as the International Financial Reporting Standards (IFRS)
developed by the International Accounting Standards Board (IASB). Other applicable developments include
the Tax Information and Exchange Agreements (United States of America (US)) Act (TIEAA) under which
the Financial Account Tax Compliance Act (FATCA) is covered, as well as updated guidelines set by the
Financial Action Task Force (FATF) on AML/CFT.
3.2.1 The Basel Framework
The Basel Framework is one of the main guiding principles used by the Central Bank in its oversight of
banking licensees. Basel guidelines are meant to serve as basic minimum standards which should be
employed in order to minimize the development of credit, market and operational risk and outlines
measures which should be adopted by banks and supervisory authorities to restrain growth of such risks.
The initial set of principles issued by the BCBS in 1988, known as Basel I, has been revised over time to
close regulatory gaps. This included the issuance of Basel II in 2004, as well as the latest iteration, Basel
III, which was intended to enhance and supplement Basel II to address issues observed in the GFC.
3.0 LOCAL REGULATORY AND REPORTING FRAMEWORK 15
Locally however, banks continue to be assessed on Basel I principles while plans are underway for the
formal implementation of Basel II standards and some elements of Basel III. 12 The proposed changes to
the supervisory framework under this new model would require that banks pay greater attention to the risk
monitoring and reporting processes given the introduction of an additional charge for operational and other
risks not captured under Basel I. Adherence to updated standards stipulates that banks take measures to
identify and manage potential risk; promote enhanced data reporting and aggregation; and ensure
disclosures are in line with updated standards. These proposals would undoubtedly impact banks’ modus
operandi, and it is expected that additional human and infrastructural (IT) resources will be necessary to aid
in compliance.
3.2.2 Foreign Account Tax Compliance Act13
FATCA is legislation aimed at combatting tax evasion by citizens of the US who hold offshore accounts.
The law requires financial institutions to enter into an agreement with the US Internal Revenue Service
(IRS), the TIEAA, in order to disclose information related to account-holders who are US citizens.14
The principal impact of FATCA legislation on the cost of compliance is through the cost of updates to
procedures to ensure that all relevant information is obtained from customers and further, ensuring
consumer data is stored in a central location (Bandyopadhyay 2014). This is intended to support due
diligence in terms of KYC data collection, customer identification and reporting, both in terms of new and
existing accounts. Given the repercussions for non-compliance with FATCA15 and the threat to
correspondent banking relationships with the US, local institutions would have been compelled to make
adjustments to adhere to these guidelines. At the same time, the supervisory process would have been
adjusted to consider these new requirements.
3.2.3 International Financial Reporting Standards
The International Financial Reporting Standards (IFRS) are a set of standardized accounting principles
developed by International Accounting Standards Board (IASB) which are used to guide accounting
practices and reporting globally. Similar to the evolution of the Basel standards, accounting standards have
12 See Proposals for the Implementation of Basel II/III for Institutions Licensed under the Financial Institutions Act, 2008 Phase I, December 2014. 13 (Internal Revenue Service 2018)and (Bandyopadhyay 2014). 14 The law also requires “Non-Financial Foreign Entities to disclose the identity of their US owners to the IRS.” 15 In the form of a 30 per cent withholding tax on US denominated transactions.
3.0 LOCAL REGULATORY AND REPORTING FRAMEWORK 16
advanced over time to address transforming risk. Following the GFC, a significant change was made to the
way credit risk should be modelled in the new IFRS 9 standard. In particular, an expected credit loss
impairment model, in which banks would be required to recognize an impairment provision before a loss
event actually occurred, was recommended to replace the incurred loss model previously employed
(Deloitte 2016).
IFRS 9 became mandatory for companies for annual reporting periods beginning on or after January 1,
2018. Locally, the transition to IFRS 9 is not yet complete but would require firms to make a number of
adjustments to current practices. The new Standard will necessitate changes to systems and processes
(PricewaterhouseCoopers 2017) which will enable the collection of relevant data to calculate expected
losses. However, banks may face modelling risk resulting in incorrect estimations due to over-complication
or misspecification of the expected credit loss model. There may be additional concerns with respect to
availability of resources and limitations of, and integration with, the current IT systems.
3.2.4 FATF Guidelines on Anti-Money Laundering/Combatting the Financing of Tourism
The FATF is an inter-governmental body which sets standards and proposes appropriate guidelines to aid
in combatting money laundering (ML) and terrorist financing (TF). In order to assess the adherence to
guidelines, the FATF conducts periodical reviews of member countries to determine whether sufficient
measures have been taken by governments and financial institutions to ensure compliance.
From the financial institutions’ perspective, and similar to requirements to adhere to stipulations under the
FATCA, customer due diligence is also important to ensure compliance with FATF Recommendations. The
most recent FATF Mutual Evaluation Report for Trinidad and Tobago conducted in 2016 noted that the
country suffered from a range of deficiencies with respect to compliance. Many of the gaps identified
stemmed from the actions (or inaction) of the authorities responsible for ML and TF, for example, the
National AML/CFT Committee and the Financial Intelligence Unit of Trinidad and Tobago. However, it was
highlighted that financial institutions were considered to have a low compliance in the area of customer due
diligence. Notably however, local banks have been keen on adopting measures to better identify and track
clients, as well as take measures against ML and TF risks by investing in infrastructure to aid in ensuring
compliance with recommendations.
4.0 OPPORTUNITIES AND CHALLENGES 17
4.0 OPPORTUNITIES AND CHALLENGES
In the context of the changing financial landscape and the availability of newer technologies, current
approaches to supervision and risk management in Trinidad and Tobago may be inadequate and would
benefit from the introduction of modernized RegTech solutions. The same toolset is available to both
regulators and licensees; however, their particular objectives dictate RegTech application within their
organisations. It must be underscored that RegTech companies are third-party service providers and are
not ultimately responsible for ensuring an institution remains compliant or executes sound risk management
strategies (Armstrong 2017). Rather, they are technology companies limited to the functions predefined
within their systems. It is therefore pertinent that users of the systems – regulators and licensees alike – be
au courant with the application of relevant solutions as well as interpretation of their output as it relates to
informing forward-looking policymaking and risk management decisions.
4.1 The Effect of RegTech on Regulators’ Job Specifications
RegTech is seen as complementary to the role of the regulator, rather than a replacement. While some
solutions may automate specific regulatory functions, expert judgement based on trends and experiences
will remain a vital part of forward-looking policymaking. RegTech has the potential to impact several
regulatory responsibilities including, but not limited to, the statistics function, financial institution supervision
and macro-prudential supervision.
4.1.1 Statistics
The traditional use of templates issued to licensees for data collection (see Section 3.1) limits
flexibility in data manipulation, increases the likelihood of inconsistencies across different reporting
templates (as well as individual versus aggregate system data) and can hinder efficient data
aggregation as required by post-crisis regulatory reform (Toronto Centre 2017). Further, if
additional data were desired, it could only be achieved through a costly amendment to the relevant
systems; this may draw objection from licensees.
The regulatory reporting solution may be of most value to the statistician. This can support the
collection of a vast amount of granular data, which can be verified, manipulated and analysed.
Employees would no longer be required to manually verify data quality, thus reducing processing
4.0 OPPORTUNITIES AND CHALLENGES 18
time and the likelihood of human error. Instead, the focus would be on extracting unique data sets
from the wealth of information in order to report on emerging trends.
4.1.2 Financial Institution Supervision
On-site visits conducted by the supervisor serve to complement intelligence gathered from regular
reporting and allows the supervisor the opportunity to conduct a more thorough investigation into
possible deficiencies observed through off-site analysis of submitted data and information.
However, data reporting is typically lagged and a complete picture may not be available due to
inconsistent frequencies with which different reports are required. This delays supervisory action in
addressing heightened vulnerabilities.
RegTech analytics can be used as an input to the supervisory risk-based approach, leveraging the
regulatory reporting, risk management and compliance solutions. These can be used to produce
comprehensive risk profiles, including key performance indicators for individual institutions, based
on readily available and up-to-date data. Supervisors can have real-time access to data and
transactions which aids in timely identification or notification of breaches in compliance and other
areas where supervisory attention may be most necessary for early intervention.
4.1.3 Macro-prudential Supervision
Macro-prudential supervision takes a broader approach to financial supervision and seeks to
pinpoint areas that pose systemic risk to the entire financial sector or the wider economy. As with
the current approach to financial institution supervision, supervisory action can be delayed posing a
risk to financial stability.
RegTech can provide structure to large amounts of data, both internal and external (even outside
of the financial system), to extract useful information on developments within the real or financial
sector that can impact financial soundness indicators. Forward-looking supervision will leverage
more efficient data collection and RegTech analytics to direct supervisory resources as necessary.
4.0 OPPORTUNITIES AND CHALLENGES 19
4.2 The Effect of RegTech on the Relationship between the Regulator and its Licensees
Following from above, RegTech can positively impact the type of interaction observed between the Bank
and regulated institutions through enhancing various components of the supervisory process. For example,
Increased Collaboration and Communication – Employment of RegTech to the reporting
process would result in greater collaboration and communication between the Central Bank and its
licensees. Regulatory changes and updates may be plentiful and potentially daunting to licensees
which are tasked with the responsibility of understanding exactly what is required of them and
subsequently taking measures to ensure that requirements are met. RegTech can aid in the
communication process since it would involve standardization of data and clarity in terms of what
exactly would be collected and for what purpose. Further opportunities exist in terms of the
application of machine-readable regulation which proposes the standardization of regulatory
requirements in a manner that would allow RegTech solutions to automatically address additional
requests made by the regulator (Butler, North and Palmer 2018).
Facilitate Transparency and Trust among Parties – Advanced RegTech techniques could
facilitate the real-time observation of data and allow for corrective action to be taken rapidly if
needed, and with greater transparency, engendering trust among all parties involved. As a direct
result of the extensive detail required to adhere to increased regulatory demands, RegTech could
improve the accuracy of reporting by financial institutions as well as the Central Bank’s ability to
process, interpret and report on the information received.
Enhanced Reporting – RegTech could further enhance exchange of information relating to KYC
requirements among parties, given increased efficiencies in the due diligence process which could
be facilitated through enhanced data collection, storage and streamlining of information related to
customers. Digital identities associated with customers could also enhance banks’ ability to identify
and flag suspicious activity. With established agreement between the parties, the Central Bank can
capitalize on this database using DLT to perform necessary checks and balances.
4.0 OPPORTUNITIES AND CHALLENGES 20
4.3 Challenges to Adoption and Implementation
Long-run gains in efficiency resulting from changes in the modus operandi of different stakeholders are
expected to offset direct expenses brought on by the acquisition of RegTech solutions through a third-party
service provider. However, the magnitude of these and other associated costs must be thoroughly
assessed. Beyond direct budgetary constraints, other challenges to adoption and implementation exist and
must be considered in evaluating the feasibility of RegTech introduction. These include:
Conversion of legacy systems – Traditional legacy systems are based on complex architecture
and may have been designed to record data in a limited format. They typically do not have the
capacity to capture the volume, granularity or cross-section of data required to apply RegTech
solutions hinged on AI or big data analytics. Upgrades to existing architecture can be considered
short-term fixes. Investment must be made in conversion to software-based infrastructure to, inter
alia, manage big data or construct relational databases in the digital space.
Investment in human resources – In the short term, RegTech introduction can mean increased
expenses in training existing staff (including management) in the correct usage of the systems and
interpretation of the output. It may also require investment in new employees who have the
requisite working knowledge of the innovative technologies and the skillset to combat associated
risks. In the long-run, RegTech solutions may result in a reduction in staff or a realignment of
responsibilities that rely on expert judgement.
Risk averse culture/ Uncertainty over regulation – Globally, there has been hesitation
surrounding innovation, particularly for newer solutions which do not yet have a proven track
record. Management, particularly those without the technological expertise, may be more risk
averse and prefer to invest in upgrading legacy systems rather than ‘experiment’ with technology-
based solutions. For financial institutions, this uncertainty is compounded by doubts surrounding
supervisory approvals, making engagement with RegTech firms risky.
Third-party risk – A disruption or deterioration in the quality of services provided by the RegTech
firm can result in a direct operational cost to the institution, which bears ultimate responsibility for
regulatory compliance. Further, concentration risk exists if several institutions and/or the regulator
share the same service provider. Disruptions in this scenario can have systemic implications.
4.0 OPPORTUNITIES AND CHALLENGES 21
Cyber Security – Movement to software-based infrastructure increases vulnerability to cyber-
attacks that can disrupt service as well as expose sensitive customer or institution data.
Weaknesses in cyber security can also give way to theft as well as integrity issues such as fraud.
These can generate significant operational losses and compromise the reputation of affected
institutions.
The expected benefits to be gained from the introduction of RegTech solutions warrant further investigation
to determine the ways in which these challenges may be overcome or minimized within a financial
institution or regulatory authority. This may mean a strategic adjustment to long-term planning within the
organizations and greater collaboration among stakeholders, including regulators; financial institutions;
RegTech service providers; academia; and other players in the market. Two-way communication is key to
avoid misinterpretation of regulatory requirements.
5.0 CONCLUSION AND RECOMMENDATION 22
5.0 CONCLUSION AND RECOMMENDATION
This paper aimed to introduce the concept of RegTech, whose popularity has been accelerating within the
international financial services industry. It is evident that its introduction into the financial landscape can
provide significant opportunities for operational risk management from an institutional perspective to ensure
compliance with changing regulatory rules. While it is in its nascent stages in the global regulatory sphere,
there exists tremendous potential for increased efficiency in routine operations and it can serve as a
complementary tool, along with expert judgment, for effective supervision.
The local financial sector has embraced financial innovation. Institutions have reported enhancements to
internal operations in a bid to increase digitization and it is evident that there is a desire to increase the
efficiency of internal processes and facilitate the adherence to updated requirements. As such, the
regulator must keep abreast of operational risks inherent in newer forms of technology and investigate the
tools offered by RegTech to mitigate these risks. The regulator should also aim to encourage technological
development and innovation, without compromising financial stability. Careful planning must go into the
timing of new regulation lest it prematurely stymie growth.
Initiatives such as the “regulatory sandbox” have been a starting point in several jurisdictions to foster more
practical understanding of the innovative technologies as it pertains to an institution’s needs and business
model. The regulator must remain cognizant of the risks in the selection of a service provider, both in terms
of operational availability as well as confidentiality of data shared. These issues may surface through
regulatory sandbox experiments which can provide greater insight into systemic risks that could manifest as
a result of implementation. Results of sandbox initiatives can therefore guide conversations surrounding
additional regulation which may be necessary to facilitate use of the solutions.
In order to support the activities required to ensure compliance by financial institutions, research should be
extended to identify RegTech firms and the services they offer with respect to supervisory RegTech.
Subsequently, a thorough feasibility assessment should be conducted for the Central Bank and
consideration should be given to system interoperability between an individual institution and the regulator.
In the meantime, the Central Bank continues to monitor regional and international developments in the
RegTech space as it makes on-going strides in improving risk-based supervision for the promotion of
financial stability.
Bibliography 23
Bibliography Alexander, Kern. Financial Inclusion, FinTech and RegTech. Centre for Risk Studies, University of Cambridge, 2017.
Alvarez & Marsal and Burnmark. “RegTech 2.0.” 2018.
Armstrong, Patrick. “The Adoption of RegTech within the Financial Services Industry: Ten years from the Start of the
‘Great Financial Crisis’.” European Securities and Markets Authority. May 2017.
https://www.esma.europa.eu/sites/default/files/library/pka_speech_regtech.pdf (accessed January 2018).
Arner, Douglas W., Jànos Barberis, and Ross P. Buckley. FinTech and RegTech in a Nutshell, and the Future in a
Sandbox. Research Foundation Briefs, CFA Institute Research Foundation, 2017.
Arner, Douglas W., Jànos Barberis, and Ross P. Buckley. “FinTech, RegTech and the Reconceptualization of
Financial Regulation.” Northwestern Journal of International Law & Business, Forthcoming, 2016.
Arner, Douglas W., Janos Nathan Barberis, and Ross P. Buckley. “The Emergence of Regtech 2.0: From Know Your
Customer to Know Your Data.” Journal of Financial Transformation 44, 2016: 79-86.
Augur, Hannah. “RegTech: The 2016 Buzzword is Turning Heads.” Dataconomy. 3 May 2016.
http://dataconomy.com/2016/05/regtech-the-2016-buzzword-is-turning-heads/ (accessed January 19, 2018).
Bandyopadhyay, Subhasis. “Impact of FATCA on financial institutions .” Mindtree. 2014.
https://www.mindtree.com/sites/default/files/2017-10/369_mindtree-thought-posts-white-paper-impact-of-
fatca-on-financial-institutions.pdf (accessed June 2018).
Basel Committee on Banking Supervision. Compliance and the compliance function in banks. Bank for International
Settlements, 2005.
Basel Committee on Banking Supervision. Principles for effective risk data aggregation and risk reporting. Bank for
International Settlements, 2013.
Basel Committee on Banking Supervision. Principles for the Sound Management of Operational Risk. Bank for
International Settlements, 2011.
Basel Committee on Banking Supervision. Sound Practices: Implications of fintech developments for bank and bank
supervisors. Bank for international Settlements, 2018.
Bauguess, Scott W. The Role of Big Data, Machine Learning, and AI in Assessing Risks: a Regulatory Perspective.
21 June 2017. https://www.sec.gov/news/speech/bauguess-big-data-ai.
Baxter, Lawrence G. “Adaptive Financial Regulation and RegTech: A Concept Article on Realistic Protection for
Victims of Bank Failures.” Duke Law Journal Vol. 66, 2016: 567-604 .
Bouveret, Antoine. Cyber Risk for the Financial Sector: A Framework for Quantitative Assessment. Working Paper,
International Monetary Fund, 2018.
Butler, Tom, Paul North, and John Palmer. A New Paradigm for Regulatory Change and Compliance. RegTech
Council, 2018.
CBTT. Financial Stability Report 2017. Central Bank of Trinidad and Tobago, 2018.
Deloitte. “A Drain on Resources? The impact of IFRS 9 on Banking Sector Regulatory Capital.” 2016.
Deloitte. RegTech is the new FinTech. How agile regulatory technology is helping firms better understand and
manage risks . Deloitte, 2017.
Demyanyk, Yuliya, and Elena Loutskina. A Gap in Regulation and the Looser Lending Standards that Followed.
Economic Commentary, Federal Reserve Bank of Cleveland, 2014.
Eldridge, Paul W. The FATCA Challenge Facing Caribbean Banks. PricewaterhouseCoopers Bermuda, 2012.
English, Stacey, and Susannah Hammond. Cost of Compliance 2017. Thomson Reuters, 2017.
English, Stacey, and Susannah Hammond. Cost of Compliance 2018. Thomson Reuters, 2018.
English, Stacey, and Susannah Hammond. Fintech, Regtech and the Role of Compliance: A Regulatory Opportunity
or Challenge? Thomson Reuters, 2016.
Bibliography 24
Financial Conduct Authority. “Call for Input: Supporting the Development and Adoption of RegTech .” 2015.
Financial Conduct Authority. “Feedback Statement: Call for Input on Supporting the Development and Adopters of
RegTech.” 2016.
Financial Stability Board. “Financial Stability Implications from FinTech.” 2017.
Goodspeed, Ingrid. “Cost of regulatory compliance in the aftermath of the global financial crisis.” SA Financial
Markets Journal. 2015. https://financialmarketsjournal.co.za/cost-of-regulatory-compliance-in-the-aftermath-
of-the-global-financial-crisis/ (accessed 2018).
Gutierrez, Daniel. “Big Data for Finance - Security and Regulatory Compliance Considerations.” Inside Big Data. 20
October 2014. https://insidebigdata.com/2014/10/20/big-data-finance-security-regulatory-compliance-
considerations/ (accessed January 19, 2018).
He, Dong, et al. Fintech and Financial Services: Initial Considerations. IMF Staff Discussion Note, International
Monetary Fund, 2017.
Hugé, François-Kim. “Using RegTech to Transform Compliance and Risk from Support Functions into Business
Differentiators.” Inside Magazine - Edition 2018, 2018.
Hugé, Francois-Kim, Carlo Duprel, and Giulia Pescatore. “The promise of RegTech. Elevating regulatory risk
management in the financial industry to an effective business management practice.” Inside Magazine -
European Union Edition, 2017: 46 - 51.
Institute of International Finance. “RegTech in Financial Services: Technology Solutions for Compliance and
Reporting.” 2016.
Institute of International Finance. “RegTech: Exploring Solutions for Regulatory Challenges.” 2015.
Internal Revenue Service. Foreign Account Tax Compliance Act. 16 March 2018.
https://www.irs.gov/businesses/corporations/foreign-account-tax-compliance-act-fatca (accessed June
2018).
Ivanoski, John M., Mike Walters, Deborah Bailey, and Jyoti Vazirani. “The transformative power of regtech.” KPMG.
2017. https://assets.kpmg.com/content/dam/kpmg/xx/pdf/2017/06/transformative-power-of-regtech.pdf
(accessed 2018).
Kamesam, Vepa. “Recent Technological Developments in Indian Banking.” Money, Banking & Finance Vol. 46, 2003.
KPMG International. “2016 Global CEO Outlook.” 2016.
KPMG. “The nexus between regulation and technology innovation.” 2017.
Liebergen, Bart van, and Matt Ekberg. Improving global AML efforts with technology and regulatory reform. Briefing,
Institute of International Finance, 2017.
Marlin, Steve. Top 10 op risks: IT disruption heads 2018 poll. 2018. https://www.risk.net/risk-
management/5426111/top-10-op-risks-it-disruption-tops-2018-poll (accessed June 2018).
Mills, David , et al. Distributed ledger technology in payments, clearing, and settlement. Finance and Economics
Discussion Series, Federal Reserve Board, 2016.
Petrasic, Kevin, Benjamin Saul, and Helen Lee. Regtech rising: automating regulation for financial institutions . White
& Case, 2016.
PricewaterhouseCoopers. IFRS 9 for banks - illustrative disclosures. PricewaterhouseCoopers, 2017.
TABB Group. “Financial Markets: Embracing RegTech.” 2017.
Toronto Centre. “FinTech, RegTech and SupTech: What They Mean for Financial Supervision.” Note, 2017.
Transatlantic Policy Working Group Fintech. The Future of RegTech for Regulators: Adopting a Holistic Approach to
a Digital Era. Innovate Finance, 2017.